MIT kpasswd with heimdal kdc and kpasswdd
Alexander Bergolth
leo at strike.wu-wien.ac.at
Tue Mar 19 13:23:51 EST 2002
Hi!
When I'm trying to use MIT kpasswd to change a password on a Heimdal
server, I'm getting the following error:
> /usr/kerberos/bin/kpasswd leo
Password for leo at WU-WIEN.AC.AT:
/usr/kerberos/bin/kpasswd: Password incorrect while getting initial ticket
A packet dump using ethereal shows the following sequence:
(The frame number counts the packets that are sent over the net as
counted by ethereal)
1) Frame 1: kpasswd sends AS-REQ for kadmin/changepw
2) Frame 2: server replies preauth required
3) kpasswd prompts for a password
4) Frame 3: kpasswd sends AS-REQ for kadmin/changepw using
preauthentication
5) Frame 4: server responds with the ticket (type: des3-cbc-sha1)
6) Frame 5: kpasswd sends another AS-REQ for kadmin/changepw, now again
without preauth!
7) Frame 6: server replies preauth required
8) Frame 7: kpasswd sends AS-REQ for kadmin/changepw using
preauthentication
9) server again replies with a ticket
10) kpasswd prints the above error
The full dump in pcap-format for reading with ethereal can be found at
http://leo.kloburg.at/krb5/kpasswd-mit.dump
Using heimdal's kpasswd works fine. (It starts to communicate with
kpasswdd after step 5).
MIT kinit also works fine. (Maybe because it dosn't do preauthentication?)
Any hints?
--leo
P.S.:
Principal: leo at WU-WIEN.AC.AT
Principal expires: never
Password expires: never
Last password change: never
Max ticket life: 1 day 1 hour
Max renewable life: unlimited
Kvno: 10
Mkvno: 0
Policy: none
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2002-03-19 17:48:59 UTC
Modifier: leo at WU-WIEN.AC.AT
Attributes:
Keytypes(salttype[(salt-value)]): des-cbc-md5(pw-salt()),
des-cbc-md4(pw-salt()), des-cbc-crc(pw-salt()), des3-cbc-sha1(pw-salt),
des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt)
Principal: kadmin/changepw at WU-WIEN.AC.AT
Principal expires: never
Password expires: never
Last password change: never
Max ticket life: 5 minutes
Max renewable life: 5 minutes
Kvno: 1
Mkvno: 0
Policy: none
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2002-03-15 11:27:57 UTC
Modifier: kadmin/admin at WU-WIEN.AC.AT
Attributes: pwchange-service, requires-pre-auth,
disallow-proxiable, disallow-renewable, disallow-tgt-based,
disallow-forwardable, disallow-postdated
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt),
des-cbc-md4(pw-salt), des-cbc-md5(pw-salt), des3-cbc-sha1(pw-salt)
KDC log:
Mar 19 18:49:10 spare kdc[4206]: AS-REQ leo at WU-WIEN.AC.AT from
IPv4:137.208.89.101 for kadmin/changepw at WU-WIEN.AC.AT
Mar 19 18:49:10 spare kdc[4206]: No PA-ENC-TIMESTAMP -- leo at WU-WIEN.AC.AT
Mar 19 18:49:10 spare kdc[4206]: sending 270 bytes to IPv4:137.208.89.101
Mar 19 18:49:12 spare kdc[4206]: AS-REQ leo at WU-WIEN.AC.AT from
IPv4:137.208.89.101 for kadmin/changepw at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: Looking for pa-data -- leo at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: Pre-authentication succeded --
leo at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: Using des3-cbc-sha1/des3-cbc-sha1
Mar 19 18:49:12 spare kdc[4206]: sending 578 bytes to IPv4:137.208.89.101
Mar 19 18:49:12 spare kdc[4206]: AS-REQ leo at WU-WIEN.AC.AT from
IPv4:137.208.89.101 for kadmin/changepw at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: No PA-ENC-TIMESTAMP -- leo at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: sending 270 bytes to IPv4:137.208.89.101
Mar 19 18:49:12 spare kdc[4206]: AS-REQ leo at WU-WIEN.AC.AT from
IPv4:137.208.89.101 for kadmin/changepw at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: Looking for pa-data -- leo at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: Pre-authentication succeded --
leo at WU-WIEN.AC.AT
Mar 19 18:49:12 spare kdc[4206]: Using des3-cbc-sha1/des3-cbc-sha1
Mar 19 18:49:12 spare kdc[4206]: sending 578 bytes to IPv4:137.208.89.101
-----------------------------------------------------------------------
Alexander (Leo) Bergolth leo at leo.wu-wien.ac.at
WU-Wien - Zentrum fuer Informatikdienste http://leo.wu-wien.ac.at
Computers are like air conditioners -
they stop working properly when you open Windows
More information about the Kerberos
mailing list